From 78a5175536d61fc654e53e97d78d03ee640629ad Mon Sep 17 00:00:00 2001 From: SkelSec Date: Wed, 1 May 2024 16:59:15 +0200 Subject: [PATCH] some fixes for header parsing --- aiowinreg/_version.py | 2 +- aiowinreg/filestruct/header.py | 48 +++++++++++++++++++++------------- aiowinreg/filestruct/nk.py | 2 +- 3 files changed, 32 insertions(+), 20 deletions(-) diff --git a/aiowinreg/_version.py b/aiowinreg/_version.py index 01e5d04..a7309cc 100644 --- a/aiowinreg/_version.py +++ b/aiowinreg/_version.py @@ -1,4 +1,4 @@ -__version__ = "0.0.10" +__version__ = "0.0.11" __banner__ = \ """ # aiowinreg %s diff --git a/aiowinreg/filestruct/header.py b/aiowinreg/filestruct/header.py index ed8fcc9..232c56b 100644 --- a/aiowinreg/filestruct/header.py +++ b/aiowinreg/filestruct/header.py @@ -1,5 +1,6 @@ # https://bazaar.launchpad.net/~guadalinex-members/dumphive/trunk/view/head:/winreg.txt +# https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md """ 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572 0x00000004 D-Word ???? @@ -19,39 +20,50 @@ class NTRegistryHeadr: def __init__(self): self.magic = b'regf' - self.u1 = None - self.u2 = None + self.primary_sequence_number = None + self.secondary_sequence_number = None self.last_modified = None - self.u3 = None - self.u4 = None - self.u5 = None - self.u6 = None + self.version_major = None + self.version_minor = None + self.file_type = None + self.file_format = None self.offset = None self.size = None - self.u7 = None - self.chksum = None + self.clustering_factor = None + self.file_name = None + self.reserved = None + self.checksum = None #XOR-32 checksum of the previous 508 bytes + self.boot_type = None + self.boot_recover = None def parse_header_bytes(self, data): self.parse_header_buffer(io.BytesIO(data)) def parse_header_buffer(self, reader): self.magic = reader.read(4) - self.u1 = reader.read(4) - self.u2 = reader.read(4) + self.primary_sequence_number = int.from_bytes(reader.read(4), 'little', signed = False) + self.secondary_sequence_number = int.from_bytes(reader.read(4), 'little', signed = False) self.last_modified = reader.read(8) - self.u3 = int.from_bytes(reader.read(4), 'little', signed = False) - self.u4 = int.from_bytes(reader.read(4), 'little', signed = False) - self.u5 = int.from_bytes(reader.read(4), 'little', signed = False) - self.u6 = int.from_bytes(reader.read(4), 'little', signed = False) + self.version_major = int.from_bytes(reader.read(4), 'little', signed = False) + self.version_minor = int.from_bytes(reader.read(4), 'little', signed = False) + self.file_type = int.from_bytes(reader.read(4), 'little', signed = False) + self.file_format = int.from_bytes(reader.read(4), 'little', signed = False) self.offset = int.from_bytes(reader.read(4), 'little', signed = False) self.size = int.from_bytes(reader.read(4), 'little', signed = False) - self.u7 = int.from_bytes(reader.read(4), 'little', signed = False) - self.chksum = int.from_bytes(reader.read(4), 'little', signed = False) - + self.clustering_factor = int.from_bytes(reader.read(4), 'little', signed = False) + try: + self.file_name = reader.read(64).decode('utf-16-le').replace('\x00','') + except: + self.file_name = None + self.reserved = reader.read(3576) + self.checksum = int.from_bytes(reader.read(4), 'little', signed = False) + self.boot_type = int.from_bytes(reader.read(4), 'little', signed = False) + self.boot_recover = int.from_bytes(reader.read(4), 'little', signed = False) + @staticmethod async def aread(reader): hdr = NTRegistryHeadr() - res = await reader.read(52) + res = await reader.read(4096) if isinstance(res, tuple): data, err = res if err is not None: diff --git a/aiowinreg/filestruct/nk.py b/aiowinreg/filestruct/nk.py index 2cade70..fb8a8ba 100644 --- a/aiowinreg/filestruct/nk.py +++ b/aiowinreg/filestruct/nk.py @@ -91,8 +91,8 @@ def from_buffer(buff): assert nk.magic == b'nk' nk.flags = NKFlag(int.from_bytes(buff.read(2), 'little', signed = False)) nk.wite_time = buff.read(8) - nk.owner_offset = int.from_bytes(buff.read(4), 'little', signed = False) nk.u1 = int.from_bytes(buff.read(4), 'little', signed = False) + nk.owner_offset = int.from_bytes(buff.read(4), 'little', signed = False) nk.subkey_cnt_stable = int.from_bytes(buff.read(4), 'little', signed = False) nk.subkey_cnt = int.from_bytes(buff.read(4), 'little', signed = False) nk.offset_lf_stable = int.from_bytes(buff.read(4), 'little', signed = False)